The Jericho Forum recently released new guidance on what it believes could be an effective way to centrally manage users' ever-multiplying identities.

How many usernames and passwords do most people have to remember? Twenty? Thirty? More?

In 20 years time, you could have a chip inserted into you … that links to your DNA.

Paul Simmonds, founder and board member, Jericho Forum

The fact is most people have dozens of online accounts, each requiring its own username and password. That is too many to remember, which leads many to use insecure password management practices: They tend either to use the same password across multiple accounts, or write down their credentials.

Download this free guide

6 reasons why data protection is essential for all businesses

Read this e-guide to discover why exactly data protection has become an absolute essential for all businesses. Learn about the huge fines and repercussions of non-compliance as well as the reputational damage caused by data breaches.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

To address this problem, the Jericho Forum, the think tank that coined the word “de-perimeterisation” six years ago, and sparked an industry-wide rethink of how we do security in the world of the Internet and mobile devices with its 10 commandments, has turned its attention to the thorny issue of identity and access management (IAM). The Forum has produced a new set of commandments (14 of them this time) that it hopes will help create a fundamental change in how security pros handle the subject.

The starting assumption of the new project is that the current model of usernames and passwords is broken -- merely a hangover from the mainframe era when users accessed just one system and things were a lot simpler -- and is not geared to modern needs of collaboration and operation in the cloud.

Instead, Jericho is proposing that the future of identity management employ a user-centric approach, where individuals have a core identifier that defines who they are, and to which only they have access.

The Jericho project aims to take NSTIC a step further and provide guidance on how this identity ecosystem could be achieved in an effective way. “NSTIC doesn’t go into the details of how you do this stuff,” said Paul Simmonds, a founder and board member of the Jericho Forum. “We are trying to provide the high-level commandments, so if you are going to implement it, these are good principles to follow.”

Key to the new approach is the creation of a core identifier for every individual (as well as every device, piece of code or organisation) that wants to connect over the Internet. In the case of people, the core identifier would be a code cryptographically generated by algorithms based on certain aspects of the individual -- such as fingerprints, or face or voice patterns -- and could be stored in a variety of ways, such as a chip card with a fingerprint reader, or in a mobile phone with a forward facing camera that recognises the user’s face or voice. “In 20 years time, you could have a chip inserted into you, as we do today with Pet Passports, that links to your DNA,” Simmonds said.

These core identifiers could be issued by government -- as is happening in a national scheme in Austria(.pdf) -- or through trusted authoritative bodies. Simmonds suggested these could be companies such as Verizon or AT&T in the US, or the Post Office in the UK.

Having established the core identifier, users could then create a number of personas for different facets of their lives – such as one persona for accessing social networking sites, and another for accessing electronic health records. They key, in theory, is that each persona could operate without anyone being able to link them to the same person, allowing the individual to protect his or her privacy. “Each persona has an identifier that is linked cryptographically back to the core identifier. But you can’t go between the personas, and you can’t go back up from a persona to derive the core identity,” Simmonds said.

He admitted this separation of personas, designed to help individuals control who sees their information, would need to be supported by strong cryptography.

Simmonds insisted that companies could start planning for the new model today. “It initially requires a change of mindset, but much of this is feasible today using SAML (Security Assertion Markup Language), for instance to connect to cloud-based services."

In the longer term, Simmonds admitted, there will need to be an investment by government in providing the infrastructure to support the IDeA model. But, in a world where services will increasingly be delivered online, he said, the model can lower costs, provide more flexibility and deliver higher levels of security and trust. “Getting identity right will allow faster, more secure and more flexible collaborative business relationships,” he said.

The publication of the IDeA Jericho Forum Commandments (.pdf) will be followed soon by more detailed explanatory documents dealing with the various aspects of the model, Simmonds said.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.